According to Google, a lot of Android devices have security vulnerabilities and manufacturers have failed to patch that vulnerability.
Google has exposed a number of security vulnerabilities in phones using Mali GPUs, such as those with an Exynos SoC. The search giant’s Project Zero team has found the source of the problem. GPU producer ARM would be responsible and would have been pointed out in the summer.
The chip manufacturer immediately addressed the problem, but… smartphone manufacturers (including Samsung, Xiaomi, Oppo and Google itself) only started rolling out patches this week. That means that a lot of smartphones were vulnerable in the meantime, Project Zero reports.
Android vulnerable to hackers
The researchers at Google were able to detect five major problems in June and July and worked with ARM to solve them. “One of the issues resulted in corrupted kernel memory. Another issue pushed physical memory addresses to userspace, and the remaining three issues involved a physical page use-after-free condition,” Project Zero engineer Ian Beer wrote in a blog post. “These issues would allow a hacker to continue reading and overwriting physical pages even after they returned to the system,” the technical explanation reads.
According to Beer, a hacker could just gain full access to an Android system by bypassing the permissions and thus “gaining broad access to user data”. The attacker could do that by forcing the kernel to reuse the physical pages mentioned above as page tables.
Smartphone manufacturers reacted too late
Subsequently, Project Zero had to determine that Android devices were still vulnerable, even though ARM had already solved the problems three months earlier. It is difficult to say which manufacturers have since released a patch that covers this problem. But, if you have a Snapdragon chip in your device, then you’re already safe.